Rate limiting in a decentralized control plane of a computing system

ABSTRACT

A method of processing a request for a service of a control plane in a computer system includes receiving the request, from a client, at a service host process executing on a software platform of the computer system; generating an operation object in the service host process that encapsulates a request/response pattern started by the request, the operation object including a plurality of fields that store a context for the request/response pattern within the service host process; determining a key based on the context stored by the plurality of fields; obtaining a rate limit associated with the key; and permitting or denying the request for the service based on whether a rate of requests targeting the service exceeds the rate limit.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims priority to U.S. Provisional Patent Application Ser. No. 62/355,541, filed Jun. 28, 2016, which is incorporated by reference herein in its entirety.

BACKGROUND

The use of monolithic applications in a computing system, such as a cloud computing system, is gradually being replaced by sets of loosely coupled, independent services. Factoring applications into small services (sometimes referred to as “micro-services”) allows those services to have a developmental and operational lifecycle that is independent of their peers. These services typically have a smaller set of responsibilities than their monolithic predecessors, as well as a well-defined application programming interface (API).

The use of such a system of micro-services also comes at a cost: every service may use its own data model, use its own backing store, and define its own interfaces and its own interaction models. As the number of services increases, it becomes difficult to administer the system. For example, different services may use a combination of synchronous and asynchronous APIs, different transports, different serialization formats, their own facilities for authentication and authorization, and so forth. As such, administrators and operators of such systems must possess deep system knowledge to identify runtime issues, and must be informed of the intricacies of every new service added to the system. The proliferation of service technologies also means that users of the system have to use various methods to interact with the system, with varying degrees of observability and extensibility.

SUMMARY

One or more embodiments provide techniques for rate limiting in a decentralized control plane of a computing system. In an embodiment, a method of processing a request for a service of a control plane in a computer system includes receiving the request, from a client, at a service host process executing on a software platform of the computer system; generating an operation object in the service host process that encapsulates a request/response pattern started by the request, the operation object including a plurality of fields that store a context for the request/response pattern within the service host process; determining a key based on the context stored by the plurality of fields; obtaining a rate limit associated with the key; and permitting or denying the request for the service based on whether a rate of requests targeting the service exceeds the rate limit.

Further embodiments include a non-transitory computer-readable storage medium comprising instructions that cause a computer system to carry out the above method, as well as a computer system configured to carry out the above method.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram depicting an embodiment of a computer system supporting execution of decentralized control plane (DCP) software;

FIG. 2 is a block diagram depicting a DCP according to an embodiment.

FIG. 3 is a block diagram depicting a service host process of a DCP according to an embodiment.

FIG. 4 is a flow diagram depicting a method of implementing a control plane for services in a computer system according to an embodiment.

FIG. 5 is a state diagram showing service object lifecycle according to an embodiment.

FIG. 6 is a block diagram depicting structure of a service document object according to an embodiment.

FIG. 7 is a block diagram depicting an operation object according to an embodiment.

FIG. 8 is a block diagram depicting an access control subsystem of the framework according to an embodiment.

FIG. 9 is a flow diagram depicting a method of controlling access to a target service according to an embodiment.

FIG. 10 is a flow diagram depicting a method of pre-processing a request to initialize an authorization context according to an embodiment.

FIG. 11 is a flow diagram depicting a method of generating authorization queries for an authorization context according to an embodiment.

FIG. 12 is a flow diagram depicting a method of authenticating a login request according to an embodiment.

FIG. 13 is a block diagram depicting the service document object of FIG. 6 according to another embodiment.

FIG. 14 is a block diagram depicting the operation object of FIG. 7 according to another embodiment.

FIG. 15 is a flow diagram depicting a method of processing a request for a service in a control plane according to an embodiment.

FIG. 16 is a block diagram depicting an example of a rate limit object according to an embodiment.

FIG. 17 is a flow diagram depicting a method of determining a request rate according to an embodiment.

To facilitate understanding, identical reference numerals have been used, where possible, to designate identical elements that are common to the figures. It is contemplated that elements disclosed in one embodiment may be beneficially utilized on other embodiments without specific recitation.

DETAILED DESCRIPTION Decentralized Control Plane Architecture

FIG. 1 is a block diagram depicting an embodiment of a computer system 100 supporting execution of decentralized control plane (DCP) software (DCP 122). At least a portion of computer system 100 may be part of an on-premise data center controlled and administrated by a particular enterprise or business organization, part of a cloud computing system operated by a cloud computing service provider, or part of a combination of on-premise data center and cloud computing systems. An-premise data center may sometimes be referred to as a “private” cloud; a cloud computing system may be referred to as a “public” cloud; and a combination thereof may be referred to as a “hybrid cloud.”

Computer system 100 includes one or more host computers (“host(s) 150”), a network 140, managed hosts 130, and one or more computing devices 160. Network 140 can include various routers, switches, and like network appliances that facilitate communication among hosts 150, between host(s) 150 and computing device(s) 160, and between host(s) 150 and managed hosts 130. Each host 150 is constructed on a hardware platform 101, such as an x86 architecture platform. As shown, hardware platform 101 includes conventional components of a computing device distributed across host(s) 150, such as central processing units (“CPU 104”), system memory (“MEM 106”), storage resources (“storage 108”), and network resources (“NET 110”). CPU 104 is configured to execute instructions, for example, executable instructions that perform one or more operations described herein. Such executable instructions can be stored in MEM 106 and/or in storage 108. MEM 106 includes devices allowing information, such as executable instructions and data, to be stored and retrieved. MEM 110 may include, for example, one or more random access memory (RAM) modules. NET 110 enables host(s) 150 to interface with network 140 and can include network adapters. Storage 108 includes local storage devices (e.g., one or more hard disks, flash memory modules, solid state disks, and optical disks) and/or storage interfaces to network data storage systems (not shown). Example network data storage systems include storage area networks (SANs), a network-attached storage (NAS), and the like. Data “stored” in storage 108 encompasses both data stored in the local storage devices and data stored on network data storage systems accessible through the storage interfaces.

Host(s) 150 include a software platform 103 executing on hardware platform 101. In an embodiment, software platform 103 includes a virtualization layer that abstracts processor, memory, storage, and networking resources of hardware platform 101 into multiple virtual machines (“VMs 114”) that run concurrently on the same hosts. VMs 120 run on top of the virtualization layer, referred to herein as a hypervisor 112, which enables sharing of the hardware resources by VMs 114. One example of hypervisor 112 that may be used in an embodiment described herein is a VMware ESXi™ hypervisor provided as part of the VMware vSphere® solution made commercially available from VMware, Inc. of Palo Alto, Calif. Hypervisor 112 may run directly on hardware platform 101 or on top of an operating system. Each of VMs 114 executes a guest operating system (“guest OS 116”). Guest OS 116 can be any commodity operating system known in the art.

In another embodiment, software platform 103 includes an operating system (“OS 118”) that runs directly on hardware platform 101. OS 118 can be any commodity operating system known in the art. In another embodiment, software platform 103 includes containers 120 executing within OS 118. Containers 118 implement operating system-level virtualization, wherein an abstraction layer is provided on top of the kernel of OS 118. The abstraction layer supports multiple containers each including an application and its dependencies. Containers 118 do not include a guest OS and are sometimes referred to as “OS-less containers.” Each container runs as an isolated process in userspace and shares the kernel with other containers. The container relies on the kernel's functionality to make use of resource isolation (CPU, memory, block I/O, network, etc.) and separate namespaces and to completely isolate the application's view of the operating environments. By using containers, resources can be isolated, services restricted, and processes provisioned to have a private view of the operating system with their own process ID space, file system structure, and network interfaces. Multiple containers can share the same kernel, but each container can be constrained to only use a defined amount of resources such as CPU, memory and I/O. The term “virtualized computing instance” as used herein is meant to encompass both VMs and containers. The term “virtualization software” as used herein is mean to encompass both a hypervisor and an operating system kernel supporting containers. Each host 150 can include any embodiment of software platform 103 described above.

Software platform 103 provides an interface between DCP 122 and hardware platform 101. DCP 122 can execute in a single host 150 or can be distributed across multiple hosts 150. For any host 150, DCP 122 can execute within guest OS 116 of one or more VMs 114, within OS 118, or within one or more containers 120 running on OS 118. DCP 122 includes a programmable framework and runtime software that enable building and running of distributed, highly-available, and scaled-out services 123 (also referred to as “microservices”). Services 123 include an external representational state transfer (REST) interface and can be implemented by a set of distributed nodes. DCP 122 includes a document store for backing service state and the runtime provides replication, synchronization, ordering, and consistency for the service state. One example of DCP that may be configured and used as described herein is Project Xenon™ distributed by VMware, Inc. of Palo Alto, Calif.

In an embodiment, DCP 122 manages hosts (“managed hosts 130”) and software installed on such hosts (“managed software 135”). Managed hosts 130 can be configured similarly to host(s) 150. Managed software 135 can include hypervisors, VMs, guest OS, containers, OS, and the like (similar to software platform 103), as well as applications. DCP 122 can be used to build an IaaS fabric within managed hosts 130. Services 123 can be used for configuration (desired state), workflows (e.g., finite state machine tasks), grooming, scheduling logic, and the like. IaaS implementation is just one example use of DCP 122. In general, DCP 122 includes services that can be used to manage various aspects of managed hosts 130 and managed software 135.

Computing devices 160 can execute client applications 165 to interact with DCP 122. Computing devices 160 can include computers, laptops, tablets, mobile devices, or the like. Client applications 165 can communicate with services of DCP 122 using their REST interfaces. Client applications 165 can start, pause, resume, and stop services of DCP 122 using REST application programming interface (API) commands, as described further below.

FIG. 2 is a block diagram depicting DCP 122 according to an embodiment. DCP 122 includes one or more nodes 206. A “node” is a process, which can execute in various contexts, such as an OS of a host computer, guest OS of a VM, container in an OS, etc. In general, nodes 206 host one or more services 204. Thus, a node is an instance of a “service host process.” A node can execute directly on an OS kernel (e.g., compiled C, C++, etc. processes) or within a runtime environment (e.g., Java®, Go™, etc. processes). In various examples described herein, each node 206 is a Java® process with Java® objects, but those skilled in the art will appreciate that the examples can be ported to other programming languages and platforms. Each node 206 is accessed using an Internet Protocol (IP) address and transmission control protocol (TCP) port. A given host environment (e.g., OS, guest OS, container, etc.) can host one or more nodes. In cases where a host environment hosts multiple nodes, each node can be assigned a different IP address and/or TCP port. For example, a service of DCP 122 named Examples can be accessed on a node localhost through port 8000 using a uniform resource indicator (URI)http://localhost:8000/core/examples.

A “service” is a logical object in DCP 122 having a unique URI. An example URI of a service is/core/examples/example1. A service is managed externally through a REST API. Each node 206 hosts one or more service instances 210. A “service instance” is an object within a node that handles requests targeting a service 123 of DCP 122 (referred to as a “service object”). On a given node 206, the URI of a service 123 maps to a service instance 210. For example, if a node 206 is a Java® process, a service instance 210 can be a Java® object instantiated in the Java® process. A “request” is a message including verb mapped to an action of the REST API. In an embodiment, the REST API supports actions mapped to hypertext transfer protocol (HTTP) verbs, such as POST, DELETE, PATCH, PUT, and GET. A “response” is a message including status and potentially results of a request.

A service 123 of DCP 122 is implemented by one or more service instances 210 within one or more nodes. Nodes 206 can be organized in node groups, e.g., node group 202-1 and node group 202-2 (generally node groups 202). Each node group 202 includes one or more nodes 206. In the example, node group 202-1 includes a plurality of nodes 206, whereas node group 202-2 includes a single node 206. Services 123 can be instantiated across a plurality of nodes (i.e., a given service 123 can be implemented using a plurality of service instances 210 across a plurality of nodes 206). In such case, services instances 210 include the same URI at their respective nodes (e.g., /core/examples/example1) and implement a single service 123. Multiple service instances 210 can be implemented on a single node, in which case each service instance includes a unique URI and represents a unique service (e.g., /core/examples/example1 and/core/examples/example2). Unique services can be of the same service type (e.g., /core/examples/example1 and /core/examples/example2 can have an example service type). In the example, services 123A are distributed across nodes 206 in node group 202-1, and services 123B are implemented by node 206 in node group 202-2.

Each node 206 provides a framework 212. Framework 212 provides runtime support for service instances 210. Framework 212 provides a plurality of functionalities, such as replication, synchronization, ordering, and consistency of service state. Framework 212 also maintains a document store for persistent storage of states associated with services 123 that are configured as durable. Framework 212 is described further below with respect to FIG. 3.

Client applications 165 interact with services 123 of DCP 122 using an asynchronous request/response protocol 214. In an embodiment, request/response protocol 214 is HTTP. Services 123 can interact with each other using request/response protocol 214. Services 123 can also interact with themselves using request/response protocol 214 (e.g., a service 123 can update its state using a PATCH verb). Services 123 interact with managed hosts 130 and managed software 135 using interface 216, which can operate using any type of protocol (e.g., remote procedure protocol (RPC), HTTP, etc.) that can be used to communicate with and control managed hosts 130 and managed software 135.

FIG. 3 is a block diagram depicting a service host process 300 of DCP 122 according to an embodiment. Service host process 300 can be a node 206 of DCP 122 as described above. In the example, service host process 300 includes a plurality of service objects 301M, which are service instances of one or more user-created services. Service host process 300 also includes user-created service factory objects 301F, which can be used to create service objects 301M on request. Service objects 301M and service factory objects 301F are objects created and managed by framework 212.

Framework 212 includes runtime software (referred to as “runtime 302”), utility service objects 301U, and core service objects 301C. Runtime 302 is the code of the service host process executed by CPU 104. Runtime 302 includes HTTP logic 305, host logic 308, service logic 309, and operation logic 311. Runtime 302 also manages a pool of threads 306 within service host process 300. Core service objects 301C are service instances of various framework-supplied services, such as an index service, a query task service, a node group service, a node selector service, a management service, access control services, and various other services. In the embodiment shown, core service objects 301C include an index service object 330, a query task service factory object 332, a node group service object 334, a node selector service object 336, a management service object 338, access control service objects 360, and various other service objects 340, each of which is a service instance for a respective core service. Runtime 302 accesses persistent storage 310, which stores a document store 352, service specifications 312, document specifications 313, service host specifications 315, and service host configuration data 317. Persistent storage 310 is implemented by storage 108. Document store 352 includes a service state data 314 and an index data 318. Service state data 314 can include one or more versions 316 of service states for the services of the control plane.

Services each have a set of capabilities, defined by a plurality of service options. A user can declare the service options for services in service specifications 312. Example service options include PERSISTENCE, REPLICATION, OWNER_SELECTION, and INSTRUMENTATION. The PERSISTENCE service option indicates to runtime 302 that the respective service is durable and should have its state saved in document store 352 (i.e., persistent storage). The REPLICATION service option indicates to runtime 302 that the respective service requires state updates to be replicated among a plurality of nodes. The INSTRUMENTATION service option indicates to runtime 302 that the respective service requires tracking of various statistics. The OWNER_SELECTION service option indicates to runtime 302 that the respective service requires consensus and leader election to be used in the replication protocol. Runtime 302 can be responsive to various other service options.

In general, a user specifies a plurality of service options for services in service specifications 312. In this manner, service specifications 312 define the capabilities of respective services. In an embodiment, classes (e.g., Java® classes) define a service type and service specifications 312 include class definitions for various service types. A portion of an example class definition for a service type in the Java® programming language is shown below:

public class ExampleService extends StatefulService { public ExampleService( ) { super.toggleOption(ServiceOption.PERSISTANCE, true); super.toggleOption(ServiceOption.REPLICATION, true); super.toggleOption(ServiceOption.INSTRUMENTATION, true); super.toggleOption(ServiceOption.OWNER_SELECTION, true); } ... } In the example, a service type named “ExampleService” is declared that extends a base class “StatefulService.” The functions of the StatefulService class can be implemented by service logic 309, which is described further below. ExampleService includes a public constructor “ExampleService ( )” that makes several calls to a function “toggleOption” of the StatefulService base class for setting service options. The service options are declared as part of an enumeration “ServiceOption.” An instance of a service of type ExampleService is a service object generated by creating an instance of the ExampleService class. The above example illustrates one example technique for declaring service options for a service. Other techniques can be employed using the Java® language or other programming languages.

Document specifications 313 specify the specific structure of documents that represent states of services (“service documents”). The terms “service state” and “service document” are used interchangeably herein. A “service document instance” is an object within service host process 300 that stores a service document (referred to as a “service document object” or “service state object”). A service document object is a plain old data object (PODO) (no methods) that includes various fields. A version of the service state for a service is determined by the values of the fields of the service document object. In an embodiment, classes (e.g., Java® classes) define a type of service document and document specifications 312 include class definitions for service document types.

FIG. 6 is a block diagram depicting structure of a service document object 600 according to an embodiment. Service document object 600 includes service document fields 602 and optionally one or more annotations 608 to the service document fields 602. Service document fields 602 (also referred to as service document object fields) store values that form the service state. Service document fields 602 can include various data types, such as integers, strings, bytes, collections, maps, Booleans, floating point numbers, dates, URIs, enumerations, tuples, PODOs, and the like. A value stored by each service document field 602 can be a single value (e.g., an integer value, string value, etc.) or multiple values (e.g., a collection of values, map of key/value pairs, etc.). A service document field 602 can include one or more annotations 608. Annotations 608 provide meta-data for one or more service document fields 602.

In an embodiment, annotations 608 include usage options(s) 610 and indexing option(s) 612. Usage option(s) 610 can include one or more annotations related to how a service document field is used, such as single-assignment (i.e., indicates the field is immutable), optional (indicates that the field may or may not have a value), service-use (indicates that the field is only for use by the service and not visible to the client), infrastructure-use (indicates that the field is only for use by the runtime and not visible to the service instances or clients), link (indicates that the field is a link to another document), and the like. Indexing option(s) 612 include one or more annotations related to how a service document field should be processed when the service document is parsed for indexing and storage. Indexing option(s) 612 can include expand (indicates that a multi-value field, such as a PODOs, should have all its fields indexed and stored), store-only (indicates that the field should not be indexed, but only stored), text (indicates that the field should be indexed and stored as text), sort (indicates that the field should be indexed in a manner that enables sorting), and the like.

Service document fields 602 can include built-in fields 604 and user-defined field(s) 606. Built-in fields 604 are used by framework 212 (e.g., part of a ServiceDocument base class). Built-in fields include various fields, such as a document kind field, a self-link field (e.g., to hold a URI of the corresponding service), an authorized principal link field (e.g., to hold a URI of a user who owns the document), a document description field, document update time field, document version field, document epoch field, and the like. User-defined field(s) 606 include one or more fields defined by a user for storing service state of a user-defined service.

Returning to FIG. 3, an example class definition of a document type implemented in Java® is shown below:

public class ExampleService extends StatefulService { public static class ExampleServiceState extends ServiceDocument { public static final String FIELD_NAME_KEY_VALUES = “keyValues”; public Map<String, String> keyValues = new HashMap<>( ); public Long counter; @UsageOption(option = PropertyUsageOption.AUTO_MERGE_IF_NOT_NULL) Public String name; } ... } In the example, the ExampleService class includes a nested class “ExampleServiceState” that extends a “ServiceDocument” base class. The ExampleServiceState class includes fields “keyValues,” “counter,” and “name.” The keyValues field is a multi-valued field having a Map<string, string>type, the counter field is a single-valued field having an integer type, and the name field is a single-valued field having a string type. The name field includes a usage option annotation AUTO_MERGE_IF_NOT_NULL, which indicates that the field is updated if its value is not null during an update operation. The above example illustrates one example technique for declaring structure of a service document. Other techniques can be employed using the Java® language or other programming languages.

Runtime 302 creates service document objects 364 to store service states for use by handlers 304 of service instances 210. Each handler 304 comprises a software function configured to process a particular type of request. Each service document object 364 stores a version of service state. Service document objects 364 are stored in memory 106 of host computer 150 (e.g., in-memory service state). Service document objects 364 can be created and destroyed as handers 304 and other functions are invoked and completed. In some embodiments, runtime 302 can maintain a cache 362 for temporarily storing service document objects 364 longer than a single function or handler 304 call. Cache 362 is stored in memory 106 of host computer 150. For a durable service, its service document is stored persistently in document store 352. For a non-durable service, its service document is only stored for as long as a respective service document object is stored in memory (e.g., held in cache 362). In an embodiment, document store 352 is log-append structured storage. To save a service document, framework 212 appends the service document to service state data 314 in document store 352. If a service document is saved multiple times, then document store 352 will include multiple versions 316 of the service document. When a service document is saved, framework 212 can index at least a portion of the service document by adding to index data 318.

Each service factory object 301F is an instance of a service factory. A “service factory” is a service used to create child services. Each service factory object 301F is used to create child service objects (e.g., service objects 301M) during runtime. In an embodiment, service factory objects 301F are singletons (e.g., only one service factory object per service factory in a given service host process) and are not durable. Each service factory object 301F can include handlers for POST and GET verbs of the REST API. The handler for the POST verb creates a service object. The handler for the GET verb provides a list of created service objects and their state. An example class definition and instantiation of a service factory for a service implemented in Java® is shown below:

public class ExampleService extends StatefulService { public static FactoryService createFactory( ) { return FactoryService.createIdempotent  (ExampleService.class, ExampleServiceState.class); } ... } public class DecentralizedControlPlaneHost extends ServiceHost { public ServiceHost start( ) { // Start the example service factory super.startFactory(ExampleService.class, ExampleService::createFactory) ; ... ... } ... } In the example, the ExampleService class includes a class function “createFactory ( )” that is used to create an instance of FactoryService. The createFactory ( ) function calls a class function “createIdempotent” of a base class “FactoryService” to create the service object. A singleton instance of FactoryService is started on host start with a “start ( )” function of “DecentralizedControlPlaneHost” that extends a “ServiceHost” base class. The functions of the ServiceHost base class can be implemented by host logic 308, which is described further below.

Host logic 308 is configured to manage service lifecycle and handle delivery of operations to services (remote and local). Host logic 308 maintains a runtime context that includes various information, such as IP address, TCP port number, node ID, and the like. At least a portion of the runtime context of host logic 308 can be saved in service host configuration data 317. Host logic 308 includes various methods for initialization of runtime 302, as well as starting, stopping, pausing, resuming, etc. of core services, service factories, utility services, and user-created services. Host logic 308 can also include methods for applying authorization policies, loading service state from and saving service state to document store 352, caching service state, queuing and forwarding requests to service objects, and performing maintenance on services. Host logic 308 also schedules service handlers to use threads 306 when the service handlers are invoked. As described in the example above, a user can extend host logic 308 to include various customizations (e.g., custom start methods).

Service logic 309 is configured to implement base functionality for services. For example, service logic 309 can implement the functions of the StatefulService base class described in the examples above. Service logic 309 includes functions for queueing requests, checking service state, handling requests, loading and linking service state, validating updates to service state, handling REST API verbs, handling request completions, handling replication, and handling synchronization. For some functions, service logic 309 can cooperate with functions of host logic 308.

Operation logic 311 is configured to implement functionality for encapsulating the request/response pattern of client to service and service-to-service asynchronous communication. Operation logic 311 includes functions for creating operation objects and associating the operation objects with a response/request message, and associating the operation objects with service state objects. Operation logic 311 also includes functions for indicating whether an operation object is from replication, synchronization, or notification, and whether the operation object includes proposed state or committed state.

FIG. 7 is a block diagram depicting an operation object 700 according to an embodiment. Operation object 700 includes one or more completion callbacks 702, a link to state 704, options 706, an authorization context 708, and response/request message 714. Completion callback(s) 702 points to procedure(s) to be called in response to completion of operation 700. Link to state 704 is a reference to a service document object in memory. Options 706 can include various options, such as a replication option to indicate that the operation object is part of the replication protocol, a forwarding option to indicate that the operation object has been forwarded from another node, a notification option to indicate that the operation object is part of the notification protocol, and the like. Authorization context 708 includes information that can be used to authorize a request. Response/request message 714 can include an action 716, headers 718, a body 722, and status 724 depending on the type of message. Action 716 indicates an HTTP verb. Headers 718 can include various HTTP headers. In addition, headers 718 can include framework headers 720. Framework headers 720 include proprietary headers used by framework 212. Body 722 includes the body of a request or response message. Status 724 includes a status code for a response message. For actions that perform updates to service state (e.g., PUT or PATCH), body 722 includes the update data.

Returning to FIG. 3, each service object 301M includes a runtime context 303 and handers 304. Runtime context 304 can store various information for service object 301M, such as a current processing stage of the service object (e.g., created, available, stopped, etc.), the current version of service state, the current epoch for replication, and the like. Runtime context 304 is the portion of a service object 301M that is stored in memory. Handlers 304 can include functions invoked by runtime 302 when services are created, started, paused, resumed, and stopped. Handlers 304 can include functions invoked by runtime 302 for verbs of the REST API (e.g., GET, PUT, PATCH, DELETE, POST). Handlers 304 can extend or replace functionality of service logic 309. Handlers 304 can supply required functionality not present in service logic 309 (e.g., PUT and PATCH handlers). A user can specify handlers 304 as part of service specifications 312 (e.g., methods in a class definition). When a handler 304 is invoked, host logic 308 allocates a thread 306 to the handler.

An example definition of a PUT handler for a service implemented in Java® is shown below:

public class ExampleService extends StatefulService { public void handlePut(Operation put) { ExampleServiceState newState = getBody(put); ExampleServiceState currentState = super.getState(put); // example of structural validation If (currentState.name != null && newState.name == null) { put.fail(new IllegalArgumentException(“name must be set”)); return; } updateCounter (newState, currentState, false); // replace current state with the body of the request super.setState(put, newState); put.complete( ); } ... } In the example, the class ExampleService includes a handler “handlePut ( )” for handling PUT requests. The handlePut ( ) function receives an “Operation” parameter put that references an operation object encapsulating the request. The handlePut ( ) function first gets newState from the body of the request using a function getBody ( ) and current State of the service using a function get State ( ) of the superclass. The handlePut ( ) function then validates newState and calls the fail ( )method of put if invalid. The handlePut ( ) function then calls a private function updateCounter ( ) to update the counter field of the service state. The handlePut ( ) function then replaces the current state with the state in the body of the request using the function setState ( ) of the superclass. Finally, the handlePut ( ) function invokes the complete ( ) function of put. Other techniques can be employed using the Java® language or other programming languages for implementing a handler.

Clients access framework 212 and services using the REST API. HTTP logic 305 manages REST API transactions with clients. In an embodiment, the REST API includes HTTP actions POST, DELETE, PATCH, PUT, and GET. Sending POST to a service factory creates an instance of a service (i.e., a service object 301M). Sending POST to a service can be used to compute work or add new resources on a service. Sending DELETE to a service stops the service and creates a new empty state. Sending PATCH to a service can be used to update at least a portion of service state. Sending PUT to a service can be used to replace service state in its entirety. Sending GET to a service can be used to retrieve the state of the service. Sending GET to a service can lead to several asynchronous operations to other services to collect their states, which the service then composes on the fly and returns as its state.

In an embodiment, runtime 302 (e.g., host logic 308) starts one or more utility service objects 301U for each service object. Utility service objects 301U are instances of various utility services, such as a subscription service, statistic service, user interface (UI) service, configuration service, template service, and availability service. The subscription service can be used to provide a list of subscribers to a service. A service notifies its subscribers in response to state changes. The statistics service can be used to report various runtime statistics associated with services. The UI service can be used to render a UI on a client for accessing a service. The configuration service can be used to change service options or other configuration data during runtime. The template service can be used to provide a default state for a service. The availability service can be used to determine if a service is ready to accept requests. These are just some examples of utility services that can be instantiated by runtime 302 per service. In an embodiment, the utility services (e.g., subscription, statistics, UI, configuration, template utility services) can be implemented on service host process 300 using a single utility object 301U.

Runtime 302 (e.g., host logic 308) also creates core service objects 301C. Core service objects 301C are instances of various core services. The index service manages document store 352. Index service object 330 handles requests on behalf of runtime 302 and service objects 301M for storing and retrieving service documents at service host process 200. Index service object 330 also manages versioning and indexing of service documents at service host process 200.

Query task factory service creates query task services upon request. Remote clients or local clients (e.g., service objects 301M) can send requests to query task factory service, which are handled on service host process 300 by query task factory service object 332, to create query task services. Query task services cooperate with the index service to perform various queries to obtain service state information.

Node group service tracks node membership across node groups. Node group service employs a scalable gossip layer to manage node group membership. In an embodiment, node selector service selects owner nodes within a given node group using a consistent hashing algorithm. Runtime 302 can use node group service object 334 to forward requests to owner nodes for services that implement replication with consensus as described herein. Runtime 302 can use node selector service object to determine owner nodes. Management service provides a REST front end for changing various configuration data, such as TCP port, maintenance intervals, etc. Access control services control user access to services. When authentication and authorization are enabled, all requests to a service are subject to two additional checks: (1) Is the request on behalf of a valid user? (2) Is that user authorized to perform the desired action of the service? Any unauthorized access will result in a “forbidden” response from framework 212. Core service objects 301C can include various other service objects 340, such as instances of DNS services, log services, JavaScript services, and the like.

Framework 212 is configured to support clustering, that is, the ability to group together a set of nodes for the purposes of scale-out, high-availability, and unified management. Framework 212 manages node group membership (e.g., using node group service), balancing and forwarding of requests, replication, and synchronization. As discussed above in FIG. 2, a node group includes a plurality of nodes. A given node can belong to multiple node groups. A service belongs to a single node group. Node group service manages group membership using a gossip protocol. In general, a new node joins the node group through an existing member. Each node in the node group sends its view of membership to peer nodes in the node group during maintenance intervals (e.g., using a PATCH request handled by node group service object 334). Nodes can update their view of membership based the membership views received from peers.

Framework 212 implements balancing and forwarding of requests (e.g., using host logic 308 and node selector service). A request can enter through any node in the node group. If a service includes an owner (e.g., configured using the OWNER_SELECTION service option), framework 212 forwards requests targeting the service to its owner node. Node selector service employs a consistent hashing algorithm to designate an owner node for a given service per request. As a result, ownership per service is fixed as long as node group membership is stable. As nodes are added and removed from the node group, ownership per service can change. Framework 212 increments a replication epoch for a service in response to ownership changes. The consistent hashing algorithm ensures that ownership across services is evenly spread across group members.

Framework 212 implements replication across nodes in a node group (e.g., using service logic 309, host logic 208, and node selector service 336). Service state can be updated by a service instance at an owner node. In response, the owner node increments state version and replicates the updated state to peer nodes in the node group. Framework 212 can be configured to replicate updated state to all group members or only a portion of the group. If replication fails, then the request that triggered the state update fails and synchronization is triggered. If replication is successful, the updated state is persisted at the owner node. Framework 212 employs a consensus algorithm to determine whether replication is successful.

Framework 212 implements synchronization (e.g., using service logic 309 and host logic 308). Synchronization can be triggered on demand, periodically, or in response to replication failure. During synchronization, framework 212 selects an owner for a service. The owner node broadcasts a request to its peer nodes to obtain their latest state for the service. Framework 212 on the owner node chooses the best state based on replication epoch and version. The owner node then sends the selected best state for the service to the peer nodes in the node group.

In the embodiment of FIG. 3, each of runtime 302, core service objects 301C, and utility service instances 301U are described has performing specific functionalities of framework 212. Although specific examples are described where a given component performs a given function, any functionality of framework 212 described herein can be performed by runtime 302, core service objects 301C, utility service objects 301U, or a combination thereof. Moreover, although runtime 302 is described as having a specific component structure, the functionalities of runtime 302 can be performed by any of one or more logic components, including HTTP logic 305, host logic 308, service logic 309, and operation logic 311, or any other component.

In various embodiments, a component in framework 212 is described as “obtaining state” of a particular service. Service state can be obtained using various techniques, each of which ultimately results in either the state being obtained from cache 362 or service state data 314 in document store 352. In an embodiment, a client or service can obtain state by sending a request with the GET verb to the service. In such case, the service takes care of obtaining state from cache 362 or using the index service. Alternatively, a client or service can directly send a request with the POST verb to the index service to obtain service state.

In various embodiments, a component in framework 212 is described as “forwarding a request” to a target service or “sending a request” to a target service. To perform some work for a request, a client or service can send the request with the POST verb to the target service. To get service state, a client or service can send the request with the GET verb as described above. To modify service state, a client or service can send the request with the PATCH verb. To replace service state, a client or service can send the request with a PUT verb.

FIG. 4 is a flow diagram depicting a method 400 of implementing a control plane for services in a computer system according to an embodiment. Method 400 can be used to implement DCP 122 in computer system 100. Method 400 begins at step 402, where an administrator executes a service host process 300 (e.g., node 206) on software platform 103 of a host computer 150. As discussed above, service host process 300 includes framework 212 that provides a plurality of functionalities. Example functionalities include synchronization, replication, persistence, consensus and leader election, and the like.

At step 404, runtime 302 in framework 212 creates a service object 301 in service host process 300 based on a specification of a service (e.g., service specifications 312). Service object 301 includes a REST API. The REST API supports a plurality of verbs (e.g., HTTP PUT, PATCH, GET, DELETE, POST, etc.). Service specifications 312 define declared options for the service. The declared options are used to define the capabilities of the service. For example, a declared option PERSISTENCE makes the service durable; a declared option REPLICATION makes the service a replicated service; a declared option OWNER_SELECTION adds consensus and leader election to the replication protocol, etc.

At step 406, runtime 302 selectively enables functionalities for use by service object 301 based on the declared options for the service. At step 408, runtime 302 processes requests for the service through the REST API implemented by service object 301, which uses one or more of the enabled functionalities provided by runtime 302 in response to the requests. Requests can originate from client applications 165, from remote services (services in another node), or from local services (services in this node). Request processing can vary depending on the enabled functionalities. For example, if the REPLICATION option is declared, requests that update service state are replicated across peer nodes. If the PERSISTENCE option is declared, updated state is stored as a new version of state in document store 352. Service object 301 uses enabled functionalities provided by runtime 302 through asynchronous operations. Thus, all service interactions take place through asynchronous message passing.

Step 408 includes a step 410, where runtime 302 schedules handlers 304 for service object 301 to execute in a pool of threads 306 managed by runtime 302. Thus, a single pool of threads is used across all services in the same service host process (node). Service handlers run in any available thread and do not share a call stack with other services. A handler can inherit functionality from runtime 302 (e.g., default handlers in service logic 309). A handler can instead include a functionality specified in the specification for the service (e.g., handlers that override the default handlers in service logic 309). A handler can both inherit functionality from runtime 302 and include custom functionality. Step 408 can include a step 412, where runtime 302 creates a service document object 364 to hold service state for use by handlers 304 of service object 301. Service document object 364 is created based on a specification of a service document (e.g., in service specifications 312).

Steps 404-412 can be performed for each service hosted by the node. Method 400 can be performed for multiple nodes of DCP 122. Multiple nodes can execute on a single host and/or across multiple hosts.

FIG. 5 is a state diagram showing service object lifecycle 500 according to an embodiment. Services objects 301 transition through a plurality of processing stages of service object lifecycle 500. Service object lifecycle 500 begins at a create stage 502, where a service object is instantiated (e.g., using a service factory object or directly by the service host process) and is attached to the service host process. The service host process maintains a list of all attached service objects. Runtime 302 also generates a request to start the service, which is provided as input to a service start state machine that controls the startup portion 550 of service object lifecycle 500. Startup portion 550 is between create stage 502 and available stage 516.

After creation, service object lifecycle 500 proceeds to initialization stage 504, where runtime 302 initializes an operation object that encapsulates the startup request. For example, runtime 302 can initialize an authorization context for the startup request. Runtime 302 also determines whether the service being started is indexed and, if so, selects a load state stage 506 as the next stage. If the service being started is not indexed, runtime 302 selects an owner selection stage 508 as the next stage.

After initialization, service object lifecycle 500 can transition to load state stage 506 (i.e., if the service is indexed). During the load state stage 506, runtime 302 loads the most recent service document of the service into memory and links it to the startup request. If there is an initial service state provided in the request to create the service, the initial service state is used as the most recent service document.

From either initialization stage 504 or load state stage 506, service object lifecycle 500 transitions to owner selection stage 508. At owner selection stage 508, runtime 302 determines whether the service being started is replicated (i.e., the REPLICATION service option is set). If not, runtime 302 transitions directly to a start stage 512. If the service being started is replicated, runtime 302 assigns a node ID of the owner node for the service to the service object and sets the next stage as a synchronization stage 510.

During synchronization stage 510, the service object synchronizes service state with other service objects for the service on peer nodes. From either owner selection stage 508 or synchronization stage 510, service object lifecycle 500 transitions to start stage 512. At start stage 512, the service object becomes visible to clients, processes any self-requests, and queues external requests. Runtime 302 calls a creation handler, start hander, or both of the service object during start stage 512.

From start stage 512, service object lifecycle 500 transitions to index state stage 514, where runtime 302 requests index service to index and store the service document object linked to the service object. From index state stage 514, service object lifecycle 500 transitions to available stage 516. At available stage 516, the service object de-queues and processes requests.

From available stage 516, service object lifecycle 500 can transition to pause stage 518. In pause stage 518, the service is paused (e.g., runtime 302 can pause a service in response to memory pressure). Service object lifecycle 500 can transition back to available stage 516 from pause stage 518 (e.g., runtime 302 can resume a paused service in response to a request targeting the service). From available stage 516, service object lifecycle 500 can transition to a stop stage 520. At stop stage 520, runtime 302 reclaims resources used by the service object. Runtime 302 calls a stop handler of the service object during stop stage 520 and removes the service object from the attached service list of the service host process.

Decentralized Control Plane Access Control

FIG. 8 is a block diagram depicting an access control subsystem of the framework 212 according to an embodiment. Elements of framework 212 that are not related to access control are omitted for clarity. As shown in FIG. 8, framework 212 includes an authentication service 802, an authorization context service 804, and access control service factories 810. Access control service factories 810 create instances of a user service 812, a user group service 814, a resource group service 816, a role service 818, and an authorization credentials service 820. Service state data 314 stores service documents for user state 822, user group state 828, resource group state 832, role state 836, and authorization credentials service state 846.

In an embodiment, framework 212 implements access control as follows: Authentication is performed for users; authorization is implemented through roles; roles belong to users through user groups; roles apply to resources (services) through resource groups; roles allow/deny actions (e.g., HTTP verbs) to be executed by users against services; a user group is expressed as a query over users; and a resource group is expressed as a query over services. A user includes a user identity, such as an e-mail address. A user is represented by an instance of user service 812. The URI of an instance of user service 812 is a user indicator for the user. For example, a user indicator can be/core/authz/users/user1234, which refers to an instance of user service 812. An instance of user service 812 is created by sending a request to a user service factory in factories 810. User state 822 for user service 812 includes fields for a user identity (user ID) 824 and links to user group indicators (“user group links 826”). User ID 824 can be set to an e-mail address or other identity for a user (e.g., example@localhost). Each user group link 826 can be set to an indicator of a group in which the user is a member (e.g., a URI of an instance of user group service 814). Multiple instances of user service 812 can be created to represent multiple users in the system.

A user group is a set of users. Access to services is granted to user groups, not individual users. A user group is represented by an instance of user group service 814. The URI of an instance of user group service 814 is a user group indicator for a user group. For example, a user group indicator can be/core/authz/user-groups/user-group1234, which refers to an instance of user-group service 814. An instance of user-group service 814 is created by sending a request to a user group service factory in factories 810. User group state 828 for user-group service 814 includes a query 830. Query 830 includes one or more terms and optionally one or more connectors that define a query to be executed against index data 318. The results of query 830 is one or more service documents having state of one or more instances of user service 812. An example query in JSON format is:

“query”: { “occurrence”: “MUST_OCCUR” “term”: { “propertyName”: “documentSelfLink”, “matchValue”: “/core/authz/users/user1234”, “matchType”: “TERM” } } The example query includes a single term that must occur: documentSelfLink must match /core/authz/users/user1234. The documentSelfLink field in a document describing user state is a URI of an instance of user service 812. The example query defines a user group having a single user with the user indicator/c ore/authz/users/user1234.

Query 830 can also include wildcards. Another example query in JSON format is:

“query”: { “occurance”: “MUST_OCCUR”, “term”: { “propertyName”: “documentSelfLink”, “matchValue”: “/core/authz/users/*”, “matchType”: “WILDCARD” } } This example query defines a user group for all user indicators/core/authz/users/*, which is all instances of user service 812 (all users in the system). User group links 826 in user state 822 is a list of user group indicators (URIs for instances of user group service 814) for user groups in which user ID 824 belongs.

A resource group is a set of services. A resource group is represented by an instance of resource group service 816. The URI of an instance of resource group service 816 is a resource group indicator for a resource group. For example, a resource group indicator can be /core/authz/resource-groups/resource-group1234, which refers to an instance of resource group service 816. An instance of resource group service 816 is created by sending a request to a resource group service factory in factories 810. Resource group state 832 for an instance of resource group service 816 includes a query 834. Query 834 includes one or more terms and optionally one or more connectors that define a query to be executed against index data 318. The results of query 830 is one or more service documents having state of one or more services. An example query in JSON format is:

“query”: { “occurance”: “MUST_OCCUR”, “booleanClauses”: [ { “occurance”: “MUST_OCCUR”, “term”: { “propertyName”: “documentAuthPrincipalLink”, “matchValue”: “/core/authz/users/user1234”, “matchType”: “TERM” } }, { “occurance”: “MUST_OCCUR”, “term”: { “propertyName”: “documentKind”, “matchValue”: “ExampleService:ExampleServiceState”, “matchType”: “TERM” } } ] }

The example query defines a group of ExampleService services having an authorized principal of /core/authz/users/user1234 (e.g., all instances of ExampleService owned by the user represented by user1234). This example query includes two terms that must occur (e.g., documentAuthPrincipalLink=/core/authz/users/user1234 and documentKind=ExampleService:ExampleServiceState.

A role provides permissions (an access policy) to a single user group for a single resource group. A role is represented by an instance of role service 818. The URI of an instance of role service 818 is a role indicator for a role. For example, a role indicator can be /core/authz/roles/role1234, which refers to an instance of role service 818. An instance of role service 818 is created by sending a request to a role service factory in factories 810. Role state 836 for an instance of role service 818 includes fields for a link to a user group (“user group link 838”), a link to a resource group (“resource group link 840”), and an access policy 842. User group link 838 indicates a URI of an instance of user group service 814. Resource group link 840 indicates a URI of an instance of resource group service 816. Access policy 842 specifies permit/deny permissions for actions of the REST API (e.g., HTTP verbs). For example, sending a GET request to/core/authz/roles/role1234 can return the following JSON snippet:

“documentLinks”: [ “/core/authz/roles/role1234” ], “documents”: { “/core/authz/roles/role1234”: {  “userGroupLink”: “/core/authz/user-groups/user-group1234”,  “resourceGroupLink”: “/core/authz/resource-groups/resource- group1234”, “verbs”: [ “POST”, “DELETE”, “GET”, “PATCH”, “PUT”, “OPTIONS” ], “policy”: “ALLOW”, ... output trimmed ... } In the example, the instance of role service 818 identified by URI /core/authz/roles/role1234 includes a link to an instance of user group service 814 identified by URI /core/authz/user-groups/user-group1234, and a link to an instance of resource group service 816 identified by URI/core/authz/resource-groups/resource-group1234. The access policy permits access for the POST, DELETE, GET, PATCH, PUT, and OPTIONS actions. User service 812, user group service 814, resource group service 816, and role service 818 provide a framework for providing role based access control (RBAC).

Framework 212 also authenticates a user. In an embodiment, framework 212 requires a request to include a token, which a user obtains after authentication. The token encodes a set of claims, which includes at least a user indicator and an expiration time. The token also includes a signature, such as a hash of the claims, generated using a private key maintained by framework 212. A user can obtain a token by sending a login request to framework 212. Host logic 308, service logic 309, or both include authorization logic 805. Authorization logic 805 is configured to parse the token in a request, validate the signature and expiration time, and obtain the user indicator (e.g., URI of an instance of user service 812). Authorization logic 805 then determines if the user is authorized to perform the requested action of the service. Operation of authorization logic 805 is described further below.

A user obtains a token by sending a login request to framework 212. In an embodiment, authentication service 802 is configured to process login requests. For example, a login request can be a POST request targeting authentication service 802 having a username (e.g., user identity, such as e-mail address) and password in the header and a request type in the body (e.g., LOGIN or LOGOUT). Authentication service 802 determines if the user identity is associated with an instance of user service 812 and verifies the password against an authentication store. In an embodiment, framework 212 maintains an authentication store using instances of authentication credentials service 820. Authentication credentials service 820 is backed by authentication credentials service state 846. Authentication credentials service state 846 includes a field user ID 850 and a field private key 852. User ID 850 is set to a user identity (e.g., user e-mail address) and private key 852 is set to the user's password. An instance of authentication credentials service 820 is created for each user. Authentication credentials service state 846 can also include a link to an instance of user service 812 corresponding to the user identity stored in user ID 850 (“user link 848”).

In other embodiments, framework 212 can use one or more authentication backends for authentication rather than using authentication service 820. For example, framework 212 can communicate with a lightweight directory access protocol (LDAP) backend. In such case, framework 212 can include an LDAP user service 806 that works with the LDAP backend (not shown) to authenticate users and distribute tokens.

Authorization context service 804 is a stateless service that populates authorization contexts for requests. Framework 212 associates different authorization contexts with requests. Authorization logic 805 assigns a guest authorization context to any request from a non-privileged service or client that does not include a token. Some services managed by framework 212 can be privileged services that execute in a system authorization context. When running in the system authorization context, regular security checks are bypassed to allow access to all services. Services are explicitly marked as privileged before the service host process is started. For requests from non-privileged services and clients that include a token, host logic 308 generates an initial authorization context from the token and authorization context service 804 populates the authorization context by in response to state from instances of user service 812, user group service 814, resource group service 816, and role service 818. Operation of authorization context service 804 is discussed further below.

FIG. 9 is a flow diagram depicting a method 900 of controlling access to a target service according to an embodiment. Method 900 includes steps performed by framework 212. In an embodiment, some steps are performed by host logic 308 and other steps are performed by authorization context service 804. Method 900 begins at step 902, where host logic 308 receives a request for the target service from the client. At step 904, authorization logic 805 in host logic 308 pre-processes the request to initialize an authorization context for the request. An embodiment of the pre-processing step 904 is described below with respect to FIG. 10. In general, authorization logic 805 determines if the request includes a token and, if so, initializes the authorization context based on information in the token. If the request does not include a token, authorization logic 805 initializes the authorization context as the guest authorization context. At step 906, authorization logic 805 forwards the request and initialized context to authorization context service 804 for population. Steps 902, 904, and 906 comprise front-end processing 901 performed by host logic 308 in response to receiving a request for a target service.

In an embodiment, framework 212 processes each request using an operation that encapsulates the request. Logic in framework 212 that processes a request receives the operation as input and can modify the operation based on the processing performed. Thus, the request and the authorization context can be encapsulated by an operation, which is forwarded to authorization context service 804 in step 906.

FIG. 13 is a block diagram depicting service document object 600 according to another embodiment. FIG. 13 shows example details of built-in fields 604 according to an embodiment. Other elements of service document object 600 are omitted for clarity and are described above with respect to FIG. 6. As shown in FIG. 13, build in fields 604 include a kind field 1306, a self-link field 1308, and an authorized principal link field 1310. Kind field 1306 indicates the kind of document (e.g., a structured string identifier for the type of document). Self-link field 1308 indicates a URI to the service managing the document. Authorized principal link field 1310 indicates a URI to a user service owning the document.

FIG. 14 is a block diagram depicting operation object 700 according to another embodiment. FIG. 14 shows example details of authorization context 708 and headers 718 according to an embodiment. Other elements of operation object 700 are omitted for clarity and are described above with respect to FIG. 7. As shown in FIG. 14, headers 718 can include a token 1416. Token 1416 is string that encodes a data structure, such as a JSON structure, that includes at least a user indicator and an expiration time. The data structure can include other data, such as an issuer of the token. The string of token 1416 also includes a signature for verifying that token 1416 is valid. The key/value pairs for the user indicator and the expiration time, or any other key/value pairs encoded in token 1416, comprise the claims of token 1416.

After initialization, authorization context 708 includes claims 1404 derived from a valid token or otherwise generated by framework 212 (e.g., claims for a guest authorization context can be generated by framework 212). Authorization context 708 can also include a token 1406 that encodes claims 1404 and other data, such as a user indicator, issuer, etc. Token 1406 can be a copy of token 1416 in request message 1408. Authorization context 708 also includes one or more authorization queries 1407 that can be executed against index data 318 to obtain state of services authorized for access. Each authorization query 1407 is a resources group query or a disjunctive combination of a plurality of resource group queries. Authorization context 708 can also include one or more authorization query filters 1409 that correspond to authorization query(ies) 1407. An authorization query filter 1409 can be used to verify that a given state obtained for a target service is authorized for access. Authorization queries 1407 and authorization query filters 1409 are discussed further below. Authorization context 708 can include a unique authorization query 1407 and authorization query filter 1409 for each of a plurality of actions.

Returning to FIG. 9, method 900 proceeds from step 906 to step 908. At step 908, authorization context service 804 identifies a user indicator from the request. As described above, the user indicator can be encoded in a token of the request. The user indicator is a URI of an instance of user service 812 that encapsulates a particular user.

At step 910, authorization context service 804 determines whether authorization queries have already been generated for the user indicator. In particular, the process for obtaining authorization queries to be used to authorize a request to the targeted service involves several transactions of obtaining state from instances of user service 812, user group service 814, resource group service 816, and role service 818. Framework 212 may have received several requests having the same user indicator therein. In such case, authorization context service 804 can generate the authorization queries used to authorize the request once for all requests having the same user indicator. Thus, if the authorization queries have already been generated at step 910, method 900 proceeds to step 912, where authorization context service 804 populates the authorization context with previously obtained authorization queries and corresponding authorization query filters.

Otherwise, method 900 proceeds to step 914, where authorization context service 804 obtains applicable user, user group, role, and resource states and generates the authorization queries and authorization query filters. As discussed above, roles belong to users through user groups and apply to resources through resource groups. Resource group state 832 includes query 834 that can be evaluated against index data 318 to obtain states for a particular group of services. A given user may be assigned to multiple user groups and thus multiple roles can apply to a given user. As such, multiple queries 834 can apply to a given user through multiple roles. One or more queries 834 can be combined to form an authorization query. Since roles can specify different access policies for different actions, there can be a unique authorization query derived from the applicable roles for each action. Authorization query filters are generated from the authorization queries.

At step 916, authorization context service 804 populates the authorization context with the authorization query(ies) generated from query(ies) of resource group state(s). An embodiment of step 914 is described below with respect to FIG. 11. Method 900 proceeds to step 918 from either step 912 or step 916.

At step 918, host logic 308 performs backend processing of the request. The backend request processing can include the following steps: At step 920, host logic 308 obtains state of the target service. At step 922, authorization logic 805 obtains an authorization group query filter from the authorization context for the target action of the request. At step 924, authorization logic 805 evaluates the authorization query filter against the state of the target service. At step 926, authorization logic 805 fails the request if the state of the target service does not match the authorization query filter, or schedules the request for processing by the target service if the state of the target service does match the authorization query filter. In this manner, authorization logic 805 implements the access policy defined by role(s) assigned to the user.

Method 900 can be further understood with reference to the following example. Assume a user having an identity example@localhost authenticates with framework 212 and obtains a token. In an embodiment, the token is a JSON Web Token (JWT). An example JWT is:

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJkY3AiLCJzdWIiOiI vY29yZS9hdXRoei91c2Vycy91c2VyMTIzNCIsImV4cCI6MTQ1MjA0MjM2OTQyNjA wMH0.D3BTCIXlx5iRLRWtQ2O3QdXSGEDOKdVu4zXj9JQWLxQ The example token above encodes the following payload: { “iss”: “dcp”, “sub”: “/core/authz/users/user1234”, “exp”: 1452042369426000 } The key “sub” refers to the subject or user indicator, which has a value of /core/authz/users/user1234 (e.g., the URI of a user service instance for the user). The key “exp” refers to the expiration time of the token, and the key “iss” refers to the issuer of the token. Token formats other than JWT can be used and the token can include additional claims. Host logic 308 verifies the token and initializes the authorization context with the claims (step 904). Host logic 308 then forwards the request and initialized authorization context to authorization context service 804.

Assume the user indicator/core/authz/users/user1234 is in a user group having a user group indicator/core/authz/user-groups/user-group1234; a first role (/core/authz/roles/role1234) is defined that links the user group with a resource group having a resource group indicator/c ore/authz/resource-groups/resource-group1234; and a second role (/core/authz/roles/role5678) is defined that links the user group with a resource group having a resource group indicator /core/authz/resource-groups/resource-group5678. Assume further that resource-group1234 includes a query that finds all ExampleService documents where the authorized principal is/core/authz/users/user1234, and resource-group5678 includes a query that finds all ExampleService documents where the field name of the service state is foo. Finally, assume that the role1234 permits actions GET, POST, PATCH, PUT, and DELETE, and that the role5678 permits action GET.

Authorization context service 804 obtains the state of the services representing the user, user group, role, resource group entities and generates a plurality of authorization queries and authorization query filters. For the actions POST, PATCH, PUT, and DELETE, the authorization query is the same as the query of resource-group1234, that is all ExampleService documents where the authorized principal is /core/authz/users/user1234. For the action GET, the authorization query is a disjunctive combination of the query from role1234 and the query from role5678, i.e., all ExampleService documents where the authorized principal is /core/authz/users/user1234 or all ExampleService documents where name is foo. Authorization context service 804 adds the authorization queries and corresponding authorization query filters to the authorization context.

Assume the user sends a GET request to an instance of ExampleService having a state where name is foo. Host logic 308 obtains the state (step 920), obtains the authorization query filter for the action GET from the authorization context (step 922), and applies the access policy of role1234 and role5678 by evaluating the authorization query filter for the action GET. In this example, since the state includes the value foo for the field name, the state satisfies the authorization query filter. In another example, assume the user sends a PATCH request to an instance of ExampleService having a state where name is foo and documentAuthPrincipalLink is/core/authz/users/user5678. Host logic 308 applies the access policy of role1234 and role5678 by evaluating the authorization query filter for the action PATCH. In this example, since the state includes the value /core/authz/users/user5678 for the field documentAuthPrincipalLink, the state does not satisfy the authorization query filter for the action PATCH.

In the example above, the state of the target service originates form a single service document backing the target service. In other examples, the state of a target service can be aggregated from multiple service documents (e.g., the “state” of a service can be the aggregated state of a plurality of other services). In such case, the authorization query filter for the target action acts to filter the obtained state so that only the authorized portions are available for the request.

FIG. 10 is a flow diagram depicting a method of pre-processing a request to initialize an authorization context according to an embodiment. The method shown in FIG. 10 is an embodiment of step 904 of method 900 for controlling access to a target service. The method begins at step 1002, where host logic 308 receives an operation using a request handler. At step 1004, host logic 308 determines if there is a token in the request. If not, the method proceeds to step 1006, where host logic 308 initializes the authorization context for the request to the guest authorization context. If there is a token in the request, the method proceeds to step 1008.

At step 1008, host logic 308 parses the token and initializes the authorization context for the request. Step 1008 can include the following steps: At step 1010, host logic 308 verifies the signature of the token. At step 1012, host logic 308 verifies the expiration time against a current time. At step 1014, host logic 308 obtains the user indicator from the token. At step 1016, host logic 308 determines whether the token is valid and has been successfully parsed. If not, the method proceeds to step 1006, where the guest authorization context is used. Otherwise, the method proceeds to step 1018, where the pre-processing is ended.

FIG. 11 is a flow diagram depicting a method of generating authorization queries for an authorization context according to an embodiment. The method shown in FIG. 11 is an embodiment of step 914 of method 900 for controlling access to a target service. The method begins at step 1102, where authorization context service 808 obtains the state of an instance of user service 812 identified by the user indicator in the initialized authorization context. At step 1104, authorization context service 808 identifies one or more user group indicators in the user service state. At step 1106, authorization context service 808 obtains the state of each instance of user group service 814 for the user group indicator(s) identified in step 1104. At step 1108, authorization context service 808 obtains the state of one or more instances of role service 818 that reference user group indicator(s) obtained at step 1104. At step 1110, authorization context service 808 obtains the state of an instance of resource group service 816 identified by the resource group indicator in each role state. At step 1112, authorization context service 808 generates an authorization query and authorization query filer for each action identified in role(s) form resource query(ies) in role state(s).

FIG. 12 is a flow diagram depicting a method 1200 of authenticating a login request according to an embodiment. Method 1200 begins at step 1202, where host logic 308 receives a login request for a target authentication service from a client. At step 1204, host logic 308 selects a guest authorization context for the request (i.e., the login request does not have a token). At step 1206, host logic 308 forwards the logic request and guest authorization context to authentication service 802.

At step 1208, authentication service 802 identifies a user identity in the request (e.g., user e-mail). At step 1210, authentication service 802 determines if the user is known (i.e., there is an instance of user service 812 that represents the user). If not, method 1200 proceeds to step 1212, where authentication service 802 fails the request. If the user is known, method 1200 proceeds to step 1214. At step 1214, authentication service 802 gets state of an instance of authentication credentials service 820 based on a user indicator for the instance of user service 812 representing the user. At step 1216, authentication service 802 verifies the password in the request against the private key in the authentication credentials state. Alternatively, authentication service 802 can forward the requests and authentication credential state to an external entity or other service managing external authentication (e.g., LDAP service 806).

At step 1218, authentication service 802 determines if the login request has been authenticated. If not, method 1200 proceeds to step 1212, where authentication service 802 fails the request. Otherwise, method 1200 proceeds to step 1220, where authentication service 802 sends a token to the client in response to the login request.

In the embodiments described above, framework 212 of DCP 122 includes authentication and authorization logic for controlling access to a plurality of services managed by framework 212. However, the authentication and authorization techniques described above can be used for controlling access to other types of resources than services, such as other types of software, computer hardware, network resources, and the like.

Decentralized Control Plane Rate Limiting

Referring to FIG. 8, in some embodiments, host logic 308 can include rate limiting logic 860. Rate limiting logic 860 provides a global backpressure mechanism for requests targeting the various services managed by the service host process. Host logic 308 can maintain a collection of rate limits 862. In an embodiment, rate limits 862 is a map that relates keys with rate limit values. For each incoming request, the keys are generated from a context for the request (e.g., user, tenant, context ID, etc.). A user can setup rate limits 862 at the start of the service host process. An operation that encapsulates each request is associated with a key. The service host process tracks and applies the limit for each inbound request that belongs to the same context.

FIG. 15 is a flow diagram depicting a method 1500 of processing a request for a service in a control plane according to an embodiment. Method 1500 begins at 1502, where the service host process receives a request from a client targeting a service. At step 1504, the service host process generates an operation object that encapsulates a request/response pattern started by the request. The request/response pattern includes a request and a response thereto, such as an HTTP request and HTTP response as described above. The operation object can be configured as described above in FIGS. 7 and 14. At step 1506, the service host process populates fields of the operation object with a context for the request/response pattern. In an embodiment, at step 1508, the service host process populates authorization context 708 of the operation object, as described above. At step 1509, the service host process can set a context ID field 1410 (FIG. 14) of the operation object. In an embodiment, the service host process can obtain the context ID from a context ID header 1412 (FIG. 14) in headers 718 of the request. In another embodiment, the service host process can generate the context ID from other fields of the operation object.

At step 1510, the service host process determines a rate limit key based on the context stored by the operation object. In an embodiment, at step 1512A, the service host process sets the key to a service URI identified in the context. For example, the service host process can set the key to a user service URI identified in the context (e.g., from claims 1404). In such an example, an administrator can setup rate limits for different users of the control plane. In another example, the service host process can set the key to a tenant service URI identified in the context. A tenant can include a particular group of users (e.g., similar to a user group discussed above). In such an example, an administrator can setup rate limits for different tenants of the control plane. In general, any service URI can be used as the key. In another embodiment, at step 1512B, the service host process can set the key to the context ID of the operation object. In such an example, an administrator can setup rate limits for different context IDs.

At step 1514, the service host process obtains a rate limit value associated with the rate limit key. In an embodiment, the service host process obtains the rate limit value from rate limits 862 (FIG. 8). At step 1516, the service host process determines a rate of requests targeting the service (“request rate”). At step 1518, the service host process determines whether the request rate exceeds the rate limit value. If so, method 1500 proceeds to step 1520, where the service host process sends a response to the client indicating that the rate limit for the service is exceeded. The response can include a suggested retry time for the client to re-submit the request. If at step 1518 the rate limit is not exceeded, method 1500 proceeds to step 1522. At step 1522, the service host process queues or schedules the request for processing by a service handler of the service.

FIG. 16 is a block diagram depicting an example of a rate limit object 1600 according to an embodiment. Rate limits 826 (FIG. 8) can be a map relating the keys to rate limit objects. Rate limit object 1600 includes a rate limit 1602, a count 1604, and a start time 1606. Rate limit 1602 stores a rate limit value. Count 1604 stores a running count of the number of times rate limit object 1600 has been accessed to obtain the rate limit value for a request. Start time 1606 stores a reference time for a current rate limit epoch. The service host process can include one or more rate limit epochs and can reset count 160 and start time 1606 for each rate limit epoch.

FIG. 17 is a flow diagram depicting a method of determining a request rate according to an embodiment. The method of FIG. 17 can be performed in step 1516 of method 1500 described above. The method begins at step 1702, where the service host process gets and increments count 1604 of a rate limit object associated with the key. At step 1704, the service host process determines a difference between a current time and start time 1606 of the rate limit object. At step 1706, the service host process determines the number of requests per second based on the count and the delta-time between the current time and start time 1606.

The various embodiments described herein may employ various computer-implemented operations involving data stored in computer systems. For example, these operations may require physical manipulation of physical quantities—usually, though not necessarily, these quantities may take the form of electrical or magnetic signals, where they or representations of them are capable of being stored, transferred, combined, compared, or otherwise manipulated. Further, such manipulations are often referred to in terms, such as producing, identifying, determining, or comparing. Any operations described herein that form part of one or more embodiments of the invention may be useful machine operations. In addition, one or more embodiments of the invention also relate to a device or an apparatus for performing these operations. The apparatus may be specially constructed for specific required purposes, or it may be a general purpose computer selectively activated or configured by a computer program stored in the computer. In particular, various general purpose machines may be used with computer programs written in accordance with the teachings herein, or it may be more convenient to construct a more specialized apparatus to perform the required operations.

The various embodiments described herein may be practiced with other computer system configurations including hand-held devices, microprocessor systems, microprocessor-based or programmable consumer electronics, minicomputers, mainframe computers, and the like.

One or more embodiments of the present invention may be implemented as one or more computer programs or as one or more computer program modules embodied in one or more computer readable media. The term computer readable medium refers to any data storage device that can store data which can thereafter be input to a computer system—computer readable media may be based on any existing or subsequently developed technology for embodying computer programs in a manner that enables them to be read by a computer. Examples of a computer readable medium include a hard drive, network attached storage (NAS), read-only memory, random-access memory (e.g., a flash memory device), a CD (Compact Discs)—CD-ROM, a CD-R, or a CD-RW, a DVD (Digital Versatile Disc), a magnetic tape, and other optical and non-optical data storage devices. The computer readable medium can also be distributed over a network coupled computer system so that the computer readable code is stored and executed in a distributed fashion.

Although one or more embodiments of the present invention have been described in some detail for clarity of understanding, it will be apparent that certain changes and modifications may be made within the scope of the claims. Accordingly, the described embodiments are to be considered as illustrative and not restrictive, and the scope of the claims is not to be limited to details given herein, but may be modified within the scope and equivalents of the claims. In the claims, elements and/or steps do not imply any particular order of operation, unless explicitly stated in the claims.

Virtualization systems in accordance with the various embodiments may be implemented as hosted embodiments, non-hosted embodiments or as embodiments that tend to blur distinctions between the two, are all envisioned. Furthermore, various virtualization operations may be wholly or partially implemented in hardware. For example, a hardware implementation may employ a look-up table for modification of storage access requests to secure non-disk data.

Certain embodiments as described above involve a hardware abstraction layer on top of a host computer. The hardware abstraction layer allows multiple contexts to share the hardware resource. In one embodiment, these contexts are isolated from each other, each having at least a user application running therein. The hardware abstraction layer thus provides benefits of resource isolation and allocation among the contexts. In the foregoing embodiments, virtual machines are used as an example for the contexts and hypervisors as an example for the hardware abstraction layer. As described above, each virtual machine includes a guest operating system in which at least one application runs. It should be noted that these embodiments may also apply to other examples of contexts, such as containers not including a guest operating system, referred to herein as “OS-less containers” (see, e.g., www.docker.com). OS-less containers implement operating system—level virtualization, wherein an abstraction layer is provided on top of the kernel of an operating system on a host computer. The abstraction layer supports multiple OS-less containers each including an application and its dependencies. Each OS-less container runs as an isolated process in userspace on the host operating system and shares the kernel with other containers. The OS-less container relies on the kernel's functionality to make use of resource isolation (CPU, memory, block I/O, network, etc.) and separate namespaces and to completely isolate the application's view of the operating environments. By using OS-less containers, resources can be isolated, services restricted, and processes provisioned to have a private view of the operating system with their own process ID space, file system structure, and network interfaces. Multiple containers can share the same kernel, but each container can be constrained to only use a defined amount of resources such as CPU, memory and I/O. The term “virtualized computing instance” as used herein is meant to encompass both VMs and OS-less containers.

Many variations, modifications, additions, and improvements are possible, regardless the degree of virtualization. The virtualization software can therefore include components of a host, console, or guest operating system that performs virtualization functions. Plural instances may be provided for components, operations or structures described herein as a single instance. Boundaries between various components, operations and data stores are somewhat arbitrary, and particular operations are illustrated in the context of specific illustrative configurations. Other allocations of functionality are envisioned and may fall within the scope of the invention(s). In general, structures and functionality presented as separate components in exemplary configurations may be implemented as a combined structure or component. Similarly, structures and functionality presented as a single component may be implemented as separate components. These and other variations, modifications, additions, and improvements may fall within the scope of the appended claim(s). 

We claim:
 1. A method of processing a request for a service of a control plane in a computer system, comprising: receiving the request, from a client, at a service host process executing on a software platform of the computer system; generating an operation object in the service host process that encapsulates a request/response pattern started by the request, the operation object including a plurality of fields that store a context for the request/response pattern within the service host process; determining a key based on the context stored by the plurality of fields; obtaining a rate limit associated with the key; and permitting or denying the request for the service based on whether a rate of requests targeting the service exceeds the rate limit.
 2. The method of claim 1, wherein the context includes a service identifier of another service managed by the service host process, wherein the plurality of fields includes a field that stores the service identifier, and wherein the step of determining comprises setting the key to the service identifier.
 3. The method of claim 2, wherein the other service is a user service having a state to stores an identity of a user of the control plane.
 4. The method of claim 2, wherein the other service is a tenant service having a state that stores an identity of a tenant of the control plane, the tenant including a plurality of users.
 5. The method of claim 1, wherein the context includes a context identifier, wherein the plurality of fields includes a field that stores the context identifier, and wherein the step of determining comprises setting the key to the context identifier.
 6. The method of claim 5, wherein the context identifier is obtained from the request.
 7. The method of claim 5, further comprising: generating the context identifier in response to at least one value of the context.
 8. The method of claim 7, wherein the at least one value of the context includes an identifier of a role that relates a user group assigned to a user and a resource group assigned to a plurality of services of the control plane.
 9. The method of claim 1, wherein the step of permitting or denying the request for the service comprises: invoking a handler of the service using the operation object as parametric input in response to the rate of requests targeting the service not exceeding the rate limit; and sending a response of the request/response pattern to the client in response to the rate of requests targeting the service exceeding the rate limit.
 10. The method of claim 1, wherein the rate limit and the key are members of a plurality of rate limits and a plurality of keys, respectively, in a map stored by the service host process that relates the plurality of keys with the plurality of rate limits.
 11. A non-transitory computer readable medium comprising instructions, which when executed in a computer system, causes the computer system to carry out a method of processing a request for a service of a control plane in a computer system, comprising: receiving the request, from a client, at a service host process executing on a software platform of the computer system; generating an operation object in the service host process that encapsulates a request/response pattern started by the request, the operation object including a plurality of fields that store a context for the request/response pattern within the service host process; determining a key based on the context stored by the plurality of fields; obtaining a rate limit associated with the key; and permitting or denying the request for the service based on whether a rate of requests targeting the service exceeds the rate limit.
 12. The non-transitory computer readable medium of claim 11, wherein the context includes a service identifier of another service managed by the service host process, wherein the plurality of fields includes a field that stores the service identifier, and wherein the step of determining comprises setting the key to the service identifier.
 13. The non-transitory computer readable medium of claim 12, wherein the other service is a user service having a state to stores an identity of a user of the control plane.
 14. The non-transitory computer readable medium of claim 12, wherein the other service is a tenant service having a state that stores an identity of a tenant of the control plane, the tenant including a plurality of users.
 15. The non-transitory computer readable medium of claim 11, wherein the context includes a context identifier, wherein the plurality of fields includes a field that stores the context identifier, and wherein the step of determining comprises setting the key to the context identifier.
 16. The non-transitory computer readable medium of claim 15, wherein the context identifier is obtained from the request.
 17. The non-transitory computer readable medium of claim 15, further comprising: generating the context identifier in response to at least one value of the context.
 18. The non-transitory computer readable medium of claim 17, wherein the at least one value of the context includes an identifier of a role that relates a user group assigned to a user and a resource group assigned to a plurality of services of the control plane.
 19. The non-transitory computer readable medium of claim 11, wherein the step of permitting or denying the request for the service comprises: invoking a handler of the service using the operation object as parametric input in response to the rate of requests targeting the service not exceeding the rate limit; and sending a response of the request/response pattern to the client in response to the rate of requests targeting the service exceeding the rate limit.
 20. A computer system, comprising: a hardware platform having a central processing unit (CPU), memory, and storage; a software platform executing on the hardware platform, the software platform includes a service host process of a control plane, the service host process executable by the CPU to: receive a request for a service, from a client, at the service host process; generate an operation object in the service host process that encapsulates a request/response pattern started by the request, the operation object including a plurality of fields that store a context for the request/response pattern within the service host process; determine a key based on the context stored by the plurality of fields; obtain a rate limit associated with the key; and permit or deny the request for the service based on whether a rate of requests targeting the service exceeds the rate limit. 